1. Field
The disclosed subject matter relates generally to computer security and, more particularly, methods of and systems for enabling browser access to native code device identification for significantly more rigorous client authentication.
2. Description of the Related Art
The ubiquity of the Internet and the World Wide Web is reaching into nearly every aspect of people's lives, including those in which privacy and security are paramount. As more and more people use the Internet to conduct banking and to purchase goods, services, and licenses, it has become more and more crucial to guard against fraudulent transactions through the Internet. This includes the ability to accurately attribute user behavior and guard against various forms of fraud in the area of online digital advertising.
One approach is to authenticate the client device through which a transacting person is authenticated. The client device could include any type of computing device, such as a personal computer, smartphone, computer tablet, game console, as well as embedded systems that are integrated into other media devices (e.g., embedded systems in automobiles). Such ensures that the person's personal authentication data has not been stolen and used on a different client device. One method to authenticating the device is to collect specific information about hardware components of the device, including digital serial numbers, and to combine the information into a digital fingerprint.
In many on-line services, thin clients (e.g., content displayed in a conventional web browser from the server) are often preferable to thick clients (e.g., software installed in the client device). There are a number of reasons for this preference, such as greater user convenience as software installation is not required and the ability to maintain the software—including bug fixes and feature enhancements—at the server in just one location rather than supporting many different versions of the thick client installed in thousands or even millions of client devices.
However, thin clients do not have access to the sort of information included in a client device's digital fingerprint. Due to security concerns, web browsers are configured to limit thin clients' access to just a small portion of the content and hardware of the client device. For example, granting a thin client access to an entire hard drive or other persistent storage device would allow a malicious thin client to scan the hard drive for passwords and other sensitive information or to destroy information stored on the hard drive. Due to concerns regarding the security risks to the client device, thin clients are simply not permitted to gather enough information from the client device to robustly authenticate it. Generally speaking, any information of the client device to which a thin client would have access could be spoofed.
In addition, thin clients are generally not permitted to interact with thick clients or other programs on the client device. This is for the same security concern. For example, if a thin client could not scan a persistent storage device, the thin client could simply ask a resident file system browser to do that and report its findings.
What is needed is a way in which a thin client could have specific access to a thick client without also granting the thin client access to other programs on the client device.